Search

Subscribe

The Limits of Identity Cards

Good legal paper on the limits of identity cards: Stephen Mason and Nick Bohm, "Identity and its Verification," in Computer Law & Security Review, Volume 26, Number 1, Jan 2010.

Those faced with the problem of how to verify a person's identity would be well advised to ask themselves the question, 'Identity with what?' An enquirer equipped with the answer to this question is in a position to tackle, on a rational basis, the task of deciding what evidence will be useful for the purpose. Without the answer to the question, the verification of identity becomes a sadly familiar exercise in blind compliance with arbitrary rules.

The UK media is happily replaying calls for the identity of the child killer Jon Venables to be revealed. Aside from the irony of the request, what is it that is being demanded and do you get different results based on who's doing the asking? His name and address now or then, or his biometrics (which could reverse lookup into two or more sets of name and address) or both? And what answer would you get if you were doing some historical research and asking the question as of 1992 (the year before his conviction and "change" of identity)? Would you get the current identity which would make no sense as of 1992.

This looks to me like another "discovery of America" piece. So, the authors have just now realized that the concept of "identity" is hard to pin down. What a brilliant revelation. Those of us in the IdM trenches are well aware of this problem, which is semantic in nature. All we really need is a separate word for the concept of the token(s) which are bound to an underlying carbon-based lifeform. Then we could bifurcate the discussion and put the philosophical part back where it belongs.

@John: "Doesn't having a ID card with multiple biometrics raise the cost of replicating a identity beyond the value of most peoples transactions?"
________

Probably. Other possible (probable) consequences include the false sense of security we'd have in someone with a fake ID card, and also a lost/stolen ID card that included anything biometrical about the person it identified would be used to compromise other authentication/identification mechanisms (i.e., they'd figure out how to use the fingerprint / retina scan / etc. to compromise a system that is authenticated using biometrics).

The costs is higher than most would expect, and the return is lower than most would expect.

@John
RE: "What about id cards that use multiple biometric measures (face, fingerprint, eye,...). Are they considered sufficient to identify an individual?"

That would be enough to show that the person giving you the card was the person to whom the card was issued. But it doesn't validate any of the other information on the card: Name, BirthDate, Nationality, etc. All of that information is not verifiable from the card. To accept the rest of the information you have to trust the card issuer and the unforgability of the card.
--
JimFive

@Jan Hertsens: "As for the "plastic surgery" attack: Is that not a "movie plot" threat? How often has this happened in the real world, outside of the intelligence community?"
_________

Reminds me of when I was 21 and tried to buy booze, and the cashier was puzzled. The state just changed their IDs to have state-shaped pictures and other anti-copy stuff on the license. His supervisor walked over, looked at the ID, and calmly said "if he made that, he's getting his beer."

3, A body may therfore have many contexts to be in which may have non unique lables.

4, A body may have changing biometrics depending on what and how you measure.

5, There may be many bodies with the same biometric depending on what and how you measure.

6, The law in most places allows you to call yourself what you wish when you wish, unless you are commiing a crime by so doing.

Now to get to the real point about National and other ID scheams it's all about money...

In the case of National systems it's to prevent tax evasion by the people at the bottom (those at the top have legal ways to avoid paying tax).

Anything else your Government may tell you about ID scheams is almost certainly a lie.

ID systems do not provent crime, illegal imigration, benifits cheating, identity theft, terrorism, or any other "isum" they may care to wave around.

In point of fact they actually make all ot the above easier to do...

Basicaly you introduce a single point of "corruption" which criminals will avail themselves of (as seen in the UK where ID brokers where arrested with hundreds of ID documents including very very good fakes of the UK National ID card).

There is plenty of evidence to support this view from all over the world if you go out and look for it.

Esspecialy when you start looking at prejudice crimes right through to genocide.

And please remember that society as we currently know it, cannot exist with the sort of ID systems proposed by the likes of the UK Government.

The whole scheam is based on stupidity and you should let every politician you know that a "Yes to ID vote" from them will mean "A no vote for them" at election time.

@mauli Identity theft may well be less prevalent in Germany than in other countries. However, it is also illegal in Germany to create a register of the whole population, which is what the UK government wants to do. It's the big databases that are the problem, not the pieces of plastic.

There only seems to be weak correlation between personal freedom (and privacy) and national strong IDs. Most all European countries have them, and have had them for decades, and probably have stronger effective political participation and privacy laws than, say, the US. (Which obviously has had driver's licenses for ages, only a tiny fraction of which is probably forged.)

I also find it surprising that we accept that most IT security mechanisms are not 100% (but still useful), but then expect personal IDs to either be 100% effective, non-forgeable and proof positive even against movie plot threats or be completely useless.

In a modern society where people don't know each other personally, we seem to need to identify people with reasonable accuracy during daily transactions (buying beer, driving, picking up stored mail at the post office, opening a checking account, claiming benefits). There was an interesting article on India recently, which indicated all the we-take-for-granted things that don't work if you don't have plausible identity mechanism, and usually to the detriment of the poor.

In many cases, these are essentially the same defense as having a lock on your door - it doesn't keep a determined burglar out, but raises the bar from "accidentally" wandering into your house to breaking & entering. Same thing for IDs - "forgetting" that one isn't of age becomes forgery.

Rather than repeating the same "oh-no, yellow stars of David are next", it would be interesting to hear the alternatives to strong IDs. Get rid of under-age drinking laws? Have no checks on employment of non-legal immigrants? Those might be good options, but it's a bit more honest than simply scoring easy points on the DMV.

"In this respect digital signatures are less secure than those made by handwriting: the ability to make a holograph signature simply cannot be transferred from one person to another. Holograph signatures are bound to their makers in a way that technology has so far failed to replicate for their digital counterparts."

Right there is where the author lost all respect. Anyone can forge anyone else's holographic signature. Your "holograph signature" is easily obtained from any dinner receipt, or many public documents that one has entered before. They are not only easily transferred, but forged, and misinterpreted in the same way he complains about non-experts verifying with photo ID.

Yes, you cannot expect every user to have the reading hardware. In fact, you can expect nobody to have it. But to those where it matters, then that card is invaluable.

He mentions entering prisons. It would not be a stretch for all prisons to have the appropriate reading hardware with a pin pad (and possibly further biometrics, like DNA readers) to verify the card holder is in fact the person before them, with internet connections (or cached CRL's) to verify it was not revoked.

For people soliciting services, yes, identity cards are a long shot. But for entering legal documents into the courts, digital signatures would not at all be beyond the capabilities of the system. They aren't going to be using a client's laptop; they will use their own machine or "trusted" court computers (or devices). He doesn't even mention the protection that digital signatures provide against post-signing tampering, which is a very very major benefit.

I feel like the author of the paper completely neglected the main purpose for these sorts of things. For low impact verification, its not really useful right now because there is no availability for the hardware. But for major impact verification, such solid verification from digital signatures should be available.

He makes an argument that people would need to sign off saying that nobody else has access to the private key, and that its bad when compared to holographic signatures. Holographic signatures don't carry that guarantee. In fact, they are they very "private information" that has to be distributed to everyone which he complains about in 1.1.

It hurts me to read the top part, which is a good characterization of the problems, followed by a horrible mischaracterization of the benefits of cryptographic identity cards.

As for the charge that biometrics on the card could be used to forge the biometrics (such as replicating a fingerprint), the card itself should be the primary authenticator. If it has been revoked, then it won't even get as far as checking that. A stolen card should be reported missing quickly. And secondary verification that cannot be gleaned from the card (such as a pin/password) should be used as well. Things like DNA are extremely hard to replicate. When issuing a card or replacing one, DNA from a vein could be used to verify the person. That doesn't need to be included on a card, but could be. Getting a used tissue from a flesh wound is fairly easy anyways.

And if you got this far reading my rambling post, congrats. You get a cookie. ;)

I believe one of the biggest obstacles we have is our pursuit of a "silver bullet" or the "holy grail" of security. As Clive noted, one point of control is one point of failure and corruption.

Layers is the way to go. Once you get over the moat, you still have to get in the castle. Once you get in the castle, you still have to get past the guards. Once you get past the guards, you still have to....

The point is that biometrics etc can confirm the holder of the ID is the person that was issued with it - this is a completely different problem from who the person IS.

So I apply for an ID card as Napoleon, have my fingerprints taken and a card issued = that proves I am Napoleon!

A slightly less silly example, assume I am terrorist/criminal/spy etc - I presumably have the ability to create a forged birth certificate, immigration papers etc. By adding a biometric ID card all you do is prevent anybody questioning that identity.

About 10 years ago, I got a new credit card and forgot to sign the back of it. While I won't disclose the name of the hut where I bought the pizza, the cashier did tell me he couldn't accept the card without me signing it. So I signed it and gave it back to him. He carefully compared the signature on the receipt (that he watched me sign) to the signature on the back of the card (that he also just watched me sign)--and darn the luck if they didn't match.

Just one more case of ineffective authentication. Even without the crazy signature comparison in my situation, signature comparisons, while presenting a tad more difficulty using a lost card, makes the following faulty assumptions:
1. that the card was signed by the actual person whose name was on it, and not by someone who fraudulently obtained it.
2. that the cashier is adept at signature analysis and also has the nerve to accuse a (potentially legitimate) customer of fraud.

I think there's a couple of things which need to be taken into account with IDs:

1) The ability to inherently trust that the person with the ID is that person. Meaning that the registration process of acquiring that ID is sound.

2) The ability for the person holding that ID to verify that they are the legitimate holder of that ID.

3) The ability for a failure of the ID system for a given person to be recovered in a timely fashion.

4) The data retained by an ID to be inaccessible by those not authorized to view that data. This should pretty much be everyone except the person who holds the ID (verification processes should be used much like that of a hashed password system).

All systems either evolve (adapt) or fail over time. While it is understood that people should have a choice whether they participate in some of these evolutions or not (i.e.: Do I really want my medical history on file? me pesonally, the benefits of having it greatly out weight the risks of not), it is a bit unreasonble to think that society and to a large extent businesses are so intertwined (again, think healthcare).

It seems excessively inefficient (and thus a waste of tax payer money) and less secure to have multiple systems manage identity rather than one system. (yes, I understand there are greater implications there -- hence the rules stated above).

@nobdy: "A slightly less silly example,..."
@Conner: "Bruce has often written about the differences between identification, authentication and authorization. And still, most people don't understand the differences.
_____________

Nobdy, Conner is right. Your example wasn't really that silly. People don't impersonate just anyone for the heck of it, they prefer to impersonate someone whose identity is associated with value, bet that value money, access to credit, access to data.

I also agree that the confusion between identification, authentication, and authorization, is definitely an obstacle.

This reminds me of the problem with password recovery procedures. We all have heard and even remember certain celebrities being hacked because all that was needed to get their password reset was certain publicly known information about their dog. You don't even need to forge someones bills, as you can just lift them from their unsafe mailbox and make a copy, then replace them. Most people wouldn't notice. You could even call the utilities company to get a new bill sent. There are just too many problems with currently available authentication. Its what allows "card not present" transactions to be so easily forged. The same info you gave to merchant A can be used to defraud you from merchant B. You have no method of authenticating per-transaction aside from credit card anomaly detection. Replay attacks are just too easy. Digital ID's solve that, as each transaction requires unique data.

This is a perfect example of why Bruce calls identity theft an oxymoron. The identity isn't stolen, the person was falsely authenticated and used that to gain authorization to ______.

It's tantamount to somehow obtaining Bruce's password. It doesn't mean I become Bruce, it just means that I've tricked the network (authentication) into thinking I'm Bruce so it will authorize me to do what Bruce is allowed to do.

Apologies, most people here know this, so I apologize for preaching the obvious to the choir. However, I'm hoping that by some miracle someone with power will stumble across it.

One real problem with the "one ID for everything" is that for many purposes your authentication is as weak as the weakest person that you allow to do an authentication check. If you use the same authentication of identity to check out library books as you do to enter nuclear weapons storage, than library pages can do a man in the middle attack to access nukes. Just like a credit card, it only takes ONE disgrunteled waiter to ruin your day.

I don't disagree. "Identity theft is an oxymoron" is Bruce's statement, and I think he makes an important point with it--people misunderstand what really happened. And when people misunderstand what really happened, they respond wrong.

I still use the term Identity Theft since people generally know what i'm talking about. You're point is valid that if I were to say something like "fraud through impersonation" that people may not realize what is being discussed.

@AppSec
The problem with "identity theft" is it puts the onus for fixing it on the wrong entity. That which is called "identity theft" is actually fraud and the entity responsible for fixing the fraud should be the defrauded entity (e.g. the bank), not the customer who had nothing to do with the fraud. The fact that the bank was defrauded should not affect the legitimate customer's bank account.

To Sum up: The criminal did not steal anything from me, the criminal stole money from a bank. I should not be required to spend my time and effort to fix or prevent this. That is the bank's job.
--
JimFive

@simon: What's tyrannical about a government knowing who all of its citizens are?

In the U.S. one can make a federalism argument, that IDs should be a State matter and not one for the Federal government.

In reality, though, unless your income is low enough that you don't have and Federal income tax liability, you have to deal with the Federal government on tax matters. Then they know you exist, who you are and your income, so what's the big deal about their issuing you an ID card?

@jan: "As for the "plastic surgery" attack: Is that not a "movie plot" threat? How often has this happened in the real world, outside of the intelligence community?"

It's a movie plot threat today. But that may change if the circumstances of identification changes. Or more succinctly - if the alternatives to forging identity are made too expensive, then plastic surgery attacks will become more common.

And, since its 'dual use' - the majority of plastic surgery being for legitimate reasons - we can count on the cost to come down and the effectiveness to go up as the legit market pushes the state-of-the-art forward.

@HJohn, good point on how "identity theft" is actually using someone's identity to "gain authorization to ______".

There is another, less-talked-about way to pervert identity - namely, rather than asserting that you *are* someone in particular (identity theft), asserting that you're *not* someone.

Governments everywhere seem to *love* collecting audit trails on people. As this data collection increases, the value of being able to not have your actions associated with your true identity will also increase...

(Hell, "private mode" browsing shows the perceived value of this already... even if it's just the SO that's deceived)

Buying a second hand car, how does one confirm that the seller is the rightful owner?

Yes there is a vehicle registration paper that shows the vehicle belonging to Mr X and Mr X produces a valid driving license in his name and a photo that looks a bit like him.

What next? I ask him for a govt issued id, but it is well known that there have been large scale fakes issued due to corruption in the govt.

So then I search the police nation wide stolen vehicle register. Even if the owner is aware it has been stolen and has registered the theft properly, the stolen vehicle register carries 'fine print' that disclaims responsibility for actions taken based on the information present. Nice...

Take a step back. How do I know the vehicle registration papers are genuine? I could head over to the motor vehicle dept and ask but under privacy policies they would rightfully decline to give me any information. Ideally this would also reveal if the vehicle has been hypothecated or involved in a serious traffic violation.

Now the vehicle transfer process requires the production of a letter from the local police that the vehicle is not stolen or involved in any serious traffic violation. Even if we accept the letter to be genuine, it comes with the caveat that this is based only on data available locally.

"Then they know you exist, who you are and your income, so what's the big deal about their issuing you an ID card?"

This seems a bit of a mission creep problem but even here it is still possible that you can drop off the radar (low income for example).

When there is a mandatory ID card this last hope for avoiding Government monitoring goes away.

I have multiple issues with a mandatory national ID card (*) despite having carried an Army ID for 22 years.

The most basic is around the civil liberty issue - I come from a military family where the last 10 generations have served. I have uncles and great uncles who died fighting wars because they felt it would keep Britain "free" and it strikes me to be a monumental insult to their (and their families) sacrifices for us to now surrender that hard won freedom so we can think our lives are a tiny bit safer.

I am old enough to remember the cold war propoganda about how oppressive regimes where you had to show your papers at police checkpoints are.

I served in Northern Ireland at a time when the public were (rightly) outraged at the imposition of "identity checkpoints" across the country. None of this worked. Even the ring of steel around Belfast was ineffective and just inconvienced those who were willing to abide by the law.

In the UK it seems quite unclear as to who will be able to check the validity of the ID card and, to me, this confusion will do nothing other than make this the "gold standard" of ID for criminals. For it to work as promised, the ID card would need to allow a shopkeeper to check its validity and authenticity. Now how hard would it be for an even moderately resourced criminal to offer a minimum wage shop clerk a bit of extra cash to clone / attack every ID card shown. The list of possible attacks is monumental, and while HMG may have carried out a proper risk assessment at each stage, I am unconvinced.

The alternative is admitting that for 99.99999% of transactions the ID card is simply going to be a comparison between the bearer and the photograph.......... Makes it sound so much better than a passport or driving licence, doesnt it?

Why should *I* the citizen have to inform the Government every time I move? Why should the Government be able to monitor my (currently) law abiding activities? Why should I have to pay for the priveledge of this monitoring?

Here is where I think the argument about the Government knowing I exist breaks down the most.

They know I exist. When I move, they can track me through bank records, tax records, voters records and the like. So why do they need the ID card? Why should I make it easy for them to track me without going through the proper legal process to get the right court orders? Why should I, by being law abiding, make it easier for them to investigate me as a criminal?

The moral of the story is the same as the beginning. If we, through craven cowardice, give up the rights it took our ancestors hundreds of years of sacrifice to gain how will we get them back?

If, in 20 years successive Governments have criminalised something you do today, are you happy that you no longer have anything to hide? (**)

---
(*) now if the ID card was *voluntary* and replaced the functions of passport & drivers licence I *might* reconsider my position.

"(*) now if the ID card was *voluntary* and replaced the functions of passport & drivers licence I *might* reconsider my position. "

I think that is a very important point. From my perspective the government totally mis-sold ID cards. They way the sold it was always going to bring about significant opposition. If they had quietly rolled out a voluntary database which would have made your life easier by simplifying the way you manage your personal details people would have been more likely to take it up. Look at all these other schemes which convince people to give up a significant amount of privacy in return for minor discounts or a slightly easier life.

Instead we have the benighted scheme.

"I am old enough to remember the cold war propoganda about how oppressive regimes where you had to show your papers at police checkpoints are."

Heh, I'm amused by the thought of today's Propagandists cursing the Propagandists of yesteryear for doing their job too well.

At Frankfurter Allee station on the Berlin S-Bahn a few weeks ago, I saw the worst ID card idea ever - a cigarette machine that had been mandated to do age verification, that also accepted bank card payments. It asks you to stick your national ID card in a reader, presumably verifies that you are 18 years old, then asks you to stick a bank card in another reader and complete PIN verification and online authorisation.

This involves trusting freestanding machines in seedy parts of Berlin with your bank card details, PIN, and everything on your national identity card.

I am reminded of the old joke about a man who, when asked by an authority figure, "Can you identify yourself?" takes out a pocket mirror, looks into it for a couple of seconds, and replies, "Yep, that's definitely me."

@Brian
Do you know what the author means by "holographic signatures"? Your post implied he meant regular old signatures that you leave everywhere, but when I read his article, I thought he meant a new signature-capturing technique involving tracking hand-motion that was developed in the last couple years that generates a more unique pattern associated with a signature.

And when trying to look that up, I ran across the following research on not-yet-forgeable holographic signatures which alternately perhaps he is referring to:
news.bbc.co.uk/2/hi/technology/3552132.stm

How about having a discussion about how identity cards should work. I suggest the following.

The card should simply take its stored 128-bit unique id, combined it with 128 bits of randomness (or the current time?), and then encrypt it with the public key of the issuer of the identity cards. (Even better, the card could simply store a few million unique ids, and provide them sequentially, never repeating.) The receiver of this bitstream then can submit it to the issuer and receive information about the cardholder (e.g. a photo, age, eye color, sex, etc.).

The first thing to note is that such identity cards cannot be forged without hacking the issuer's servers, because all the information is stored there. The card only has a unique id, not age, sex, eye color, etc. Second the card never gives out the same bit stream twice, making it a privacy enhancer because the card contents does not identify the holder and cannot be used in tracking. In some uses the server response does identify the user, but not all card uses require this.

Yes, I would have been a fair bit more relaxed towards the scheme if it was an actual replacement of other documents I want to carry (and remained 100% voluntary). As it stands, most of my travel is outside of the EU and I drive a lot so, I would still be required to carry three documents and losing one would be a nightmare.

Most proponents of ID cards seem to have vague, fanciful ideas (often saying "it can replace XYZ") but none of this actually reflects Gov't policy. The problem with the Gov't policy is they dont seem to want to admit what they plan to do with it, so they change their stated aims each time a new challenge appears.

Basically, if someone is crazy enough to pay for a proof of age card that legally requires them to keep the state informed of your address, well, they are crazy.

@GreenSquirrel: "The problem with the Gov't policy is they dont seem to want to admit what they plan to do with it, so they change their stated aims each time a new challenge appears."
_______________

I don't know that it's the intent to keep a secret, I think it is a bit more innocent (read: clueless) than that. I think they simply do not anticipate what it will be used for.

An example of this Bruce used was drivers licenses. They used to prove a person was licensed to drive, but then they morphed into age verification for liquor and tobacco, id to fly, etc. I don't believe they intended drivers licenses to morph into what they have become in the beginning.

Before anyone thinks I'm defending the government, i'm not. I think the cluelessness as to what something like this will be used for is more problematic than if they have some unstated intentions, to be honest.

Fair comment and you might well be spot on. The more innocent option is actually more likely when I think about it.

I also fully agree that the cluelessness is *much* more worrying.

Basically you have technologically inept (and ethically dubious) people trying to bring something in that they dont really know what they want it for. This goes a long way to explaining the ever changing claims.

How they ever thought an ID card would protect us from terrorism is a bit odd (is it made from Kevlar?)

@GreenSquirrel: "How they ever thought an ID card would protect us from terrorism is a bit odd (is it made from Kevlar?)"
____________

They operate under the assumption that they can prevent terrorists from ever obtaining one, and by extension, use it to exclude terrorists from certain things (flying, getting a bank account, entering the country, etc.). There are obvious and less obvious problems with this: forgery, dangerous people that you don't know you can't trust, people who are no longer trustworthy, etc., and such people will be subject to less scrutiny because we'll have a false sense of security about them.